No matter what platform you use, your containers are based on images. That means the security of your deployments starts at the image level, where developers and action meet. And no matter how careful you are, if you’re basing your containers on images that contain vulnerabilities, the security of your apps and services will be weak. As a cloud native developer, you cannot allow that.
So what do you do?
Most often you base everything you do on official images, those tagged and flagged by reputable companies and developers. And for the most part, you can trust those images.
Until you can’t — until that one vulnerability slips by, the one that (in conjunction with every other moving part in your deployment) wreaks havoc.
Without actually doing your part to check on those images, it’s all a game of trust. Do you really want to leave it at someone else’s word? Probably not.
So what do you do?
You make use of the available tools to scan those images for vulnerabilities. Some of those tools are quite the challenge to get up and running. Fortunately, however, there are easy-enough options that any developer or admin could use. One such tool is the open source Anchore Engine. With this command-line tool, you can scan the images you want to use to find out if it contains any known CVE issues.
I’m going to walk you through the process of installing and using Anchore Engine, so you can take the guesswork out of those images.
I’ll be demonstrating on Ubuntu Server 20.04, but Anchore Engine can be deployed and used on any system that supports docker-compose.
The first thing to take care of is the installation of docker-compose. For this, you will first need to install docker. Log into Ubuntu Server and issue the command:
sudo apt-get install docker.io -y
After the installation completes, add your user to the docker group with the command:
sudo usermod -aG docker $USER
After that completes, log out and log back in.
Now we can install docker-compose. Download the necessary file with the command:
sudo curl -L "https://github.com/docker/compose/releases/download/1.28.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
Give the newly-downloaded file executable permissions with the command:
sudo chmod +x /usr/local/bin/docker-compose
You can verify the installation with the command:
You should see something like:
docker-compose version 1.28.5, build c4eb3a1f
Deploy Anchore Engine
With docker-compose ready, we can deploy Anchore Engine. Download the required docker-compose.yaml file with the command:
curl -O https://engine.anchore.io/docs/quickstart/docker-compose.yaml
With the file downloaded, deploy Anchore Engine with the command:
docker-compose up -d
Give the services time to come up and then verify Anchore Engine is running with the command:
docker-compose exec api anchore-cli system status
The output of the command should look something like this:
Service apiext (anchore-quickstart, http://api:8228): up
Service policy_engine (anchore-quickstart, http://policy-engine:8228): up
Service simplequeue (anchore-quickstart, http://queue:8228): up
Service analyzer (anchore-quickstart, http://analyzer:8228): up
Service catalog (anchore-quickstart, http://catalog:8228): up
Engine DB Version: 0.0.14
Engine Code Version: 0.9.0
You’re ready to start scanning.
Sync the Engine
Scanning an image with Anchore Engine isn’t exactly straightforward. After you ran the last command, Anchore Engine will start syncing the vulnerability data with the engine. To check the status of the sync, issue the command:
docker-compose exec api anchore-cli system feeds list
You should see that all entries under RecordCount are listed as “None” (Figure 1).
The full sync will take some time, so walk away or take care of some other tasks. Check back now and then (using the same command you last ran) and eventually, all the data in the RecordCount will have a numerical value (Figure 2).
Scanning an Image
Let’s scan the latest Ubuntu image (20.04) for vulnerabilities. The first thing to be done is to fetch the image content and extract it with the command:
docker-compose exec api anchore-cli image add docker.io/library/ubuntu:20.04
After the image has been added, we then analyze the image, using a set of Anchore analyzers to classify the metadata. The first thing to do is use the wait command to ensure the image has transitioned to analyzed, with the command:
docker-compose exec api anchore-cli image wait docker.io/library/ubuntu:20.04
The output of the above command should like similar to:
Image Digest: sha256:e3d7ff9efd8431d9ef39a144c45992df5502c995b9ba3c53ff70c5b52a848d9c
Parent Digest: sha256:b4f9e18267eb98998f6130342baacaeb9553f136142d40959a1b46d6401f0f2b
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2021-03-20T13:00:42Z
Image ID: 4dd97cefde62cf2d6bcfd8f2c0300a24fbcddbe0ebcd577cc8b420c29106869a
Dockerfile Mode: Guessed
Distro Version: 20.04
Layer Count: 3
Full Tag: docker.io/library/ubuntu:20.04
Tag Detected At: 2021-03-20T12:58:34Z
If all data is filled out, you’re ready to continue. You can find out every piece of software included in the image with the command:
docker-compose exec api anchore-cli image content docker.io/library/ubuntu:20.04 os
Finally, we run the vulnerability scan with the command:
docker-compose exec api anchore-cli image vuln docker.io/library/ubuntu:20.04 all
After the scan completes, it will report all known CVEs found within the image and report them accordingly (Figure 3).
And there you have it. You are now empowered with the necessary information about image security and can take action. If you find an image that contains CVEs that go against your company security policy (and could cause problems), you could abandon that image and find another one, or wait until those vulnerabilities are addressed (or address them yourself).
Used regularly, a tool like Anchore Engine could ensure your cloud native development lifecycle always starts with a secure foundation.